Windows

Understanding Microsoft BitLocker Administration and Monitoring Roles

MBAM-roles

Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker drive encryption. You can also report on the encryption status of an individual computer and on the entire enterprise. As part of the prerequisites, you must define certain roles and accounts that are used in MBAM to provide security and access rights to specific servers and features, such as the databases that are running on the instance of SQL Server and the web applications that are running on the Administration and Monitoring Server. Kindly refer to the following guide: How to fix you are not allowed to view this folder on SSRS, how to correctly disable Microsoft BitLocker Administration and Monitoring encrypted devices, how to hide the Default BitLocker Drive Encryption item in the Windows Control Panel, and how to check if Microsoft BitLocker Administration and Monitoring (MBAM) is installed on Windows.

Note: After the installation of Microsoft BitLocker Administration and Monitoring (MBAM) is complete for all server features, administrative users must be granted access to these server features. As a best practice, administrators who will manage or use MBAM server features should be assigned to Active Directory security groups and then those groups should be added to the appropriate MBAM administrative local group.

Users and Groups created in Active Directory to support MBAM installation

The following groups and users were created in Active Directory. Users do not have to have greater user rights. A domain user account is sufficient. You’ll have to specify the name of these groups during configuration of MBAM 2.5. Below are the created service accounts and security groups. Service Accounts (users) do not need to have greater user rights.

Screenshot 2021 03 15 at 21.58.52
Screenshot 2021 03 15 at 21.58.52

After Microsoft BitLocker Administration and Monitoring (MBAM) Setup is complete for all server features, administrative users will have to be granted access to them. As a best practice, administrators who will manage or use Microsoft BitLocker Administration and Monitoring Server features should be assigned to Domain Services security groups, and then those groups should be added to the appropriate MBAM administrative local group. This is way better than adding users directly to the SSRS Users/Groups in order to administer the MBAM reports as shown in the image below.

Add-group-users

You are free to use any name of your choice. As you can see from the image above, and also in the table below, I have used descriptive names I will be able to identify in my Lab environment. You are free to use the name you like or as documented in the Microsoft guide.

NameSA/ SGDescription
MBAM-RO-SVCUser AccountRead-only service account: Domain user group whose members have read-only access to the reports in the Reports area of the Administration and Monitoring Website
MBAM-RW-SVCUser AccountRead/write service account
MBAM-IISAP-SVCUser AccountIIS application pool service account: Domain user account to be used by the application pool for the web applications. The same account also used to Configure Databases page.
MBAM Helpdesk UsersSecurity GroupMembers of this group are granted read-only access to the helpdesk portal
MBAM Advanced Helpdesk UsersSecurity GroupMembers of this group are provided with helpdesk access without the need to specify user and computer details for recovery
MBAM Report UsersSecurity GroupMembers of this group have access to the MBAM SSRS reports
MBAM Database Read-OnlySecurity GroupSecurity Group for adding Read-Only DB members
MBAM Database Read-WriteSecurity GroupSecurity Group for adding Read-Write DB members

As you can see in the image below, these are how these accounts and groups were added to thr MBAM (SQL) Server to support MBAM deployment. In the post-installation of SQL Server, make sure that you provide the user accounts in SQL Server, and assign the permissions to the user or (groups) that will be configuring the MBAM database and reporting roles on the database server. These same prerequisites also apply to the compliance and audit database.

Screenshot-2021-03-19-at-03.49.09

To manage MBAM Administrator Role memberships

These roles are vital for the installation of MBAM features and the post-installation of MBAM features as well. Kindly refer to this link on how these roles were used in the installation of the MBAM MBAM/features. On the Administration and Monitoring Server, add users to the following local groups to give them access to the MBAM Help Desk website features:

  • MBAM Helpdesk Users: Members of this local group can access the Drive Recovery and Manage TPM features on the MBAM Administration and Monitoring website. All fields in Drive Recovery and Manage TPM are required fields for a Helpdesk User.
  • MBAM Advanced Helpdesk Users: Members of this local group have advanced access to the Drive Recovery and Manage TPM features on the MBAM Administration and Monitoring website. For Advanced Helpdesk Users, only the Key ID field is required in Drive Recovery. In Manage TPM, only the Computer Domain field and Computer Name field are required.

On the Administration and Monitoring Server, add users to the following local group to enable them to access the Reports feature on the MBAM Administration and Monitoring website:

  • MBAM Report Users: Members of this local group can access the Reports features on the MBAM Administration and Monitoring website. The image below shows how this group is utilized in the installation of the MBAM reports.
Screenshot-2021-03-18-at-21.43.39

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x